Saturday, October 31, 2009

Q: If you ride a smelly, ugly goat along the road and then meet a handsome stranger who promises to give you a new ride: a beautiful unicorn that can fly, teleport, butt enemies with its horn and doesn’t need any cleaning, should you take it?

Friday, October 30, 2009

If you’ve ever been to a ghost town before, you didn’t need to go to CSI this year. It seemed to have only a few people even at HOT topics. Initially I thought that it was because I spent only the last day of the show there, but others told me that it was not the case. I saw a ghost of risk management there, BTW…

TechRumble on CSI (some fun cloud stuff that I missed at the show is mentioned there; quote: “Today even a 1-person startup can compete with Google and IBM in terms of infrastructure”)

Also, if you’d like to see my “PCI DSS as a framework for security” presentation (with voice and all!), go here. It is essentially the same presentation that I gave at CSI, minus some magic tricks I played on the live audience :-)

BTW, if you suffer from mild voyeurism, you can see a picture of me giving this presentation here (yes, I had explosions and demons in my PCI presentation :-)).

Thursday, October 29, 2009

Sadly, I only had one day to spent at this fun event, but it was definitely well worth it. I missed some of the keynotes as I was speaking with various people, so the first presentation I went to was supposed to be about “HBSS Open Framework.” In this reality :-), it was replaced by John Pescatore from Gartner. He started to go about FISMA and NIST 800-53 (and even FDCC) popping up in commercial space (contractors mostly), but then quickly boosted into the cloud :-)

One fun thing he sad was that what he used to call “nightmare [cloud] scenario” is now called “everybody scenario.” His theme was that we used to think that security needs to be included when new [cloud] infrastructure is being built BUT (!) this moment is slipping away FAST! He even uttered that we need to “inject security back” as cloud train is speeding out of the station. His vision can be summarized as “MySecurity.cloud” – some kinda SaaS service that you go “through” before accessing other cloud services. He then quickly summarized what is the status of such “cloud exodus” now: vulnerability management is "”fully gone”, various filtering (“network security in the cloud” - he called it “MitM security”) is going now, what will go next (log management or SIEM)?

Another interesting thought was about “full stack, continuous VM” – don’t just check for presence of Skype (for example – he really means “all apps” including consumer apps on work PCs!) or for vulnerabilities in Skype, but check whether Skype is configured securely. He also show this fun chart:

/\ | axis: value to business

high

embrace

contain

low

disregard

block

low

high

axis: security pressure ->

[I love how Gartner folks can visualize something complex into a neat chart…]

Another insightful thought from him was that the world has shifted away from directories. There is “no directory for cell phone” – instead “ring of trust” such as Facebook is it…

Next I went to see Ed Bellis fling some SCAP goodness. The main idea is that one can build a tool to automate the layer of tasks and issues above vulnerability assessment. Basically, the whole workflow from discovery –> remediation task planning –> fixing the issue –> retest –> validate + track everything for all regular and custom web application vulnerabilities. I find it really, really curious that VM vendors didn’t do it like this …. So, this was very useful and checking the slides

when posted will come hand. I found it interesting that there is absolutely no reconciliation between “security asset management/discovery” with “real IT asset management.” IMHO it drives the nail into a coffin of “IT ops and security convergence” theme that many folks adore … Also, web application flaw severity scoring is still a big hole. Where is CWSS when you need it? :-)

Next I made a mistake of going to a vendor presentation. It was so salesy I almost puked :-) BTW, the name of the vendor rhymes with “BigAss.” Please, dear BigAss folks, next time send somebody who can talk substance and not just that you are “strong in government!”

As far as trend watching, for a brief second I sensed that “SCAP use outside of the government” is an emerging trend, but it really isn’t. Using CVE and other identifiers as well as CVSS for scoring – outside the government or anywhere else for that matter – does not SCAP use make. It is simply called “common sense” :-) Now, if you found some use for the juiciest pieces of SCAP – OVAL and XCCDF – then we are talking…

Next I went to CEE presentation and my log standards challenges presentation. Obviously, this was the highlight of the day. At this stage, BTW, now I am convinced we can win this one and start standardizing the logs! In particular, we will release the architecture specification in about a week or two.

I am writing this on the train to CSI2009, notes from that show will come tomorrow…

Tuesday, October 27, 2009

The Wal-Mart story inspired me to summarize the most egregious, reckless, painful, negligent, sad, idiotic examples of “Log FAIL.” Here they are:

Logging disabled: if you got a system which had operational logging enabled by default and then you turned it off before deploying in production – congratulations! You truly earn your title of a Log Idiot! :-)

Logging not enabled: this is more sad than anything else … and the person who will suffer the most from this is likely the one who has caused it. After all, you’d need those logs at some point yourself. There is nothing sadder than see a person having to explain to management, police, FBI, press, QSA, SEC, whoever: “Well, logging … was … never … enabled!” (check out this motivational horror story)

No log centralization: Windows admins, read this one – logs on the machine that crashed, was 0wned or even stolen will do you absolutely no good. It used to be that only Unix administratory can do this (via the magic of /etc/syslog.conf line “*.* @loghost.example.com”), but you, on the Windows side, could not. Please notice that the world isdifferentnow! (check out this deck on benefits and tips related to log centralization)

Log retention period too short: the picture on the right should make this item (as well as the one above) painfully clear: doing “the right thing” and building the centralized logging infrastructure and then limiting the retention to 30 days is still “log FAIL.” Many, many scenarios today require logs from the past – for the juiciest examples check all therecent “compromised in 2006 – discovered in 2008” stories (see some here in this deck)

No logging of “Granted”, “Accepted”, “Allowed”, etc: I don’t even know where to start on this one – maybe thus: logging a firewall “connection blocked” events simply means that the firewall was doing its job, logging “connection allowed” shows that somebody is now in your network… The same idea applies to logging “login failed” and missing “login successful” – please make really sure to always log both (readthis tip for more examples, instructions and ideas)

Bad logs: if you are in operations, this is truly not your fault. But if you are in development – it probably is. Creating such logging classics as “failed successfully” and “login failed” [with no actual user name recorded] are fine examples of this “log FAIL.” Be aware that our work on CEE will fix it eventually, but more hilarity will have to transpire before it happens (see this deck for some ideas on how not to engineer logging and how to do it – and for some examples of hilarity, of course)

No log review or nobody is looking at logs: I am saving this “log FAIL” for last; logs are created to be reviewed, monitored, searched, investigated, etc and NOT – I assure you! – to simply use up disk space (check my famous “Top 11 Reasons to Look at Logs” as well the classic “Top Logging Mistakes” for more info on this one)

Monday, October 26, 2009

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security AND Compliance." Here is an issue #20, dated Oct 25, 2009 (read past ones here).

This edition of dedicated to all the folks who write blogs, but never read blogs. Shame on you :-)

Some fun metrics-related reading: “A Bit on the State of Security Metrics” (quote: “Security is a complex system based on a combination of biological (people) and computing elements. Thus our ability to model will always have a degree of fuzziness.”) and Metricon 4.0 slides (some exude pure awesomeness).

Cyber Security Awareness Month is almost over. Here is my token tribute to it – a link to SANS “month of tips”” Day 1 - Port 445 - SMB over TCP, Day 2, etc. (BTW, here is somebody making fun of the whole thing)

Burton Group weighs in on SaaS security; key quote: “[cloud] vendors will provide the controls they feel are necessary to get and retain customers. They will provide proof to the customers of the controls if asked and as long as the proof does not increase their costs too much.”

Philippe on the shift to the cloud [PDF]. Quote: “One day, almost everything we do on private networks – manage information, applications, infrastructure, and services – will be accessible instantly and securely from anywhere and from any Web browser.”

Good or bad data, but this is worth thinking about: “PCI Survey Finds Some Merchants Don't Use Antivirus Software” (PCI haters should read it too, BTW!) This is about folks who security is nowhere near PCI DSS levels. Key quote: “Around 10 percent of the respondents who said they were PCI DSS compliant said they weren't using basic security software such as antivirus, firewalls and SSL.” More comments on it here.

Fun interview with Bob Russo. Enough said. Quote: “How many [QSAs] have left the QSA program because they weren't able to recertify [after being kicked in the balls by the QSA QA SWAT team]?”

Sunday, October 25, 2009

I am hearing some interesting rumors… But let’s take a step back. PCI DSS Requirement 5.1 mandates the use of anti-virus on systems in scope of PCI (“Deploy anti-virus software on all systems commonly affected by malicious software”)

Now, when people think “AV software” they think about classic anti-virus with daily updates, painful scans, etc. In other words, “enumerating badness”, blacklisting, FAIL, etc. Give relatively low adoption of the whitelisting for desktop security (and slightly wider adoption for single-purpose systems such as PoS or industrial control boxes), I was under impression that the issue of whether a whitelisting protection would be a satisfactory control for PCI Requirement 5 was never presented to a QSA.

Well, I was mistaken. It seems like many QSA WILL accept a whitelisting-based security application for Req 5, even if it is a pure whitelisting app with no embedded blacklisting mini-engine. Isn’t it cool?

And the rumor was that PCI Council will issue some kind of an opinion on this soon. So, maybe, just maybe, PCI gods will bless this technology into wider adoption – I think it might well happen. And I think it deserves to happen, especially since some vendors have usable implementations of whitelisting which does not plunge its user into “granular-policy-writing hell” (but more on this in the future…)

Friday, October 23, 2009

"It's too bad I am not building an open-source SIEM … but if I would" (extra credit: guess the inspiration for this line), I would actually not build a software security information and event management (SIEM) product.

If I were doing it (and I am not!), I’d built an open-source-based “cloud SIEM” with a default option to have it hosted by the vendor (that is you) as well as with a possibility to have it hosted by the customer (that is, old school on-premise model). The latter option would give you a classic open source “product.”

Think about it! If you are a new company, you cannot afford to be in the appliance business. That leaves two choices: software and SaaS. If you want to sell software, you are probably insane, go lock yourself up :-) If you want to give away software and sell services, you are OK. But won’t SaaS be better? And you can combine it with on-prem model, if some folks insist. My recent employment made me quite SaaS-obsessed, since I had a chance to observe an excellent SaaS operation from the inside. It was amazing how easy it is to provision trials as well deploy the service in production, track usage and improve customer experience.

But let’s take a step back first! A lot of folks try to understand the relationship between “open source” and “cloud everything” (discussions about their relationship here, here, here and obviously here). The main idea here is the following: if people have “trust issues” with cloud providers, what is a better “mistrust breaker” than showing the source code for your solution? “Wonna audit?” - “Knock yourself out!” Moreover, if people have “hidden costs issues” with open source software, what is a better way to mitigate it but to offer to run it for them? No hidden costs, not even electricity…

So, if you are possessed by SIEM aspirations (and I am not!), head to the clouds. For starters, your tool will be easier to deploy and update. But what is much more important, you’d take a fare shot at solving scalability problems without being a database tuning uber-guru. Unlike early software SIEM vendors (FAIL!), you won’t have to sheepishly point in the direction of mammoth Sun boxes, you’d just fire up another EC2 instance (or a thousand). Moreover, on the scalability front, you’d have a fare shot against established SIEM vendors: I often hear rumors that even today, in the age of “cheap hardware”, some large organizations with loads of log data simply cannot architect a SIEM to handle all their security log data. And cloud computing leads to affordable scalability!

Solving these performance problems will let you use the CPU resources for log data parsing, correlation, stored data analysis and all sorts of other fun stuff. Storage, whether raw text or parsed data, will be even easier. Bandwidth will be a bit tricky, but I am leaving it out of this piece for a particular reason … don’t want to spill too much (I am leaving “the collection challenge” out as well).

Finally, as cloud applications [as well as web applications, in general] grow in importance, the whole idea of “SIEM in the cloud for the cloud” won’t be as naive. As we know, the need for auditing comes last (here), but when it does come, it will come in force and both SMBs and F2000s will have this problem. And it never hurts to be better prepared for the death of on-prem apps, if we are to believecertain visionaries.

So, throw together some EC2 magic, some database code and a sleek, well-designed UI to delight the users – and you are ready to do battle with foes 10x your size…

I am not at Qualys anymore and looking for the next big security idea to work on! Meanwhile, I might be available for fun consulting projects related to PCI, log management or other fun security things.

Monday, October 19, 2009

“Into the breach” by Michael Santarcangelo is actually a fun read; it seems to be a useful book on security for management. It is non-technical by design since it is about the people side of security. In fact, he presents security itself as “a human issue.”

One of my favorite sections in Part 1 reminds that many policy violations happen because people just want to do their jobs better (the author also claims that people “want to do the right thing” if such choice is easy enough). I loved the “compliance is not a video game” theme, where your faults do not have real world consequences, as well as “security as something inflicted upon the organization” and “security as a crash diet” themes. What is also interesting is that the book seeks to solve one of the key problems of “what is risky?” vs “what is only perceived as risky?”

The part of the book is Part 2 where author’s “strategy to protect information” is unveiled. The author then goes into some level of details on how to implement the strategy (run a pilot, “build a flywheel”, etc).

On the negative side, I was saddened that Michael succumbed to a popular insider myth (on page 11 – “70% of attacks are by insiders”) while trying to dispel another security myth. That is the risk anybody runs while quoting too many questionable surveys. Also, the book sounds too fluffy at times (e.g. the strategy is “understand-engage-optimize”, frequent advice to “be effective”, etc), but does seem to convey its message pretty well.

Overall, if you are managing security on a high level, or manage IT or even the whole business, read this book. It is short enough so that such people will read it and get the ideas! If you are a security pro and can handle a non-technical volume, grab it as well and keep in mind that this is a management book. After reading it, please give it you your manager!

Friday, October 16, 2009

“… But let’s get back to Josh’s demonological metaphor and consider some of the ways that PCI resembles ...” the Benign Deity (specific deity is up to the reader…)

The God holds promise. PCI DSS offers its adherents access to the spiritual riches — and not only those attainable through debit and credit cards—so long as they know and respect (and validate!) PCI’s 12 commandments. While delivering its spiritual riches, it also makes its adherents BETTER in the process: better security, better businesses, better awareness of the threats.

The God is honest. PCI does not promise falsities such as “to make retailers secure against hackers.” It promises to raise them out of the ignorance and “0wnage” to finally having a modicum of much-needed security technology and process.

The sorry history of breaches, blowouts, and damaged reputations attests that there is a long and sometimes difficult road ahead of us and that both faith and hard work will be needed along the way.

The great thing is that PCI is likely the best that many organizations can use to protect a transaction technology based on account numbers, magnetic stripes, fixed user identities, and passwords.

The God is an inspiration for goodness. PCI has led countless companies and organizations to improve security and reduce their operational risks – as well as instill customer confidence.

Security professionals often find themselves assisted by the PCI God when they win an argument with management which then allows them to start taking actions to block threats and keep the business running and out of the negative press. PCI both inspires them to build a solid security program and helps them as a powerful force for good security.

The God loves humanity, even its haters. As at least one commentator has pointed out, the PCI standard is a brilliant way to shift responsibility for IT security from card issuers to retailers.

It is indeed brilliant since many merchants are negligent and lose card data in massive amounts as a result of their own ignorance, but issuing banks have to “eat” all of the card replacement costs which are due to no fault of their own.

Card issuing banks did not invent and institute the technologies that have proven so vulnerable to moderately skilled hackers. When a breach occurs, merchants shrug and talk about their devotion to promulgating security measures, knowing that the issuers will be left with all of the card replacement costs and some of the fraud costs.

The God is sometimes a sacrificial lamb. There are two groups that will vehemently attack the virtues of PCI by completely lacking any insight into it. One group are organizations who refuse to implement any security measures and prefer to be negligent and breach the social contract with their customers by losing their data left and right. The other group are idiotic perfectionists who want all the data to be protected all the time, no matter what the business impact. The latter group also wants somebody (but, obviously, not them!) to pay for an overhaul of the world’s electronic payment processing systems.

Vendors that provide security solutions and those that provide PCI assessment services, also known as qualified security assessors (QSA), will always position PCI as necessary and useful for security. Indeed, PCI God guides the willing – by providing the Data Security Standard – and motivates those still in the darkness – by providing the validation regime and His army of God’s Angels aka QSAs.

At this point, readers may ask, with all of the God’s awesomeness and track record in doing good even to those who prefer to remain ignorant, why do people criticize it? Well, remember the old saying: "I see..."

UPDATE: link for the "I see..." updated; the previous link had some bad language in comments. Thanks for one of my readers for pointing it out.

Thursday, October 15, 2009

I spent a day yesterday at Cornerstones of Trust Conference conference here in Bay Area. The event was “a cooperative effort of the San Francisco Bay and Silicon Valley chapters of the Information Systems Security Association (ISSA); and San Francisco Bay Area InfraGard.”

Do you know what amazed me the most about this event? Lack of tweeting! Back at RSA and BlackHat, you can see flashes of TweetDeck everywhere in the audience, if you look from the back. Here – you see a lone gunman…eh... tweetman :-) In any case, I invented” the hashtag “#cornerstonestrust” and took some notes; read them here (as usual, you have to read from the bottom).

The conference was fun, but I couple of times I had my “buffoon alert” tingled. For example, somebody said that Heartland is suing their QSA and, to the best of my knowledge, that is not true. Cloud sessions – both of them – were pretty interesting. I learned what is “cloud angst” and realized that despite CSA work, people are still creating their own cloud provider diligence sheets (hopefully, the upcoming version 2 will help). The innovation keynote reminded me of my ROTC training in PsyOps. Namely, when you push your message too hard, people just start doubting you (our ROTC colonel also cautioned us from ever saying anything like “I am not saying it because I profit from it; on the opposite…” :-))

Wednesday, October 14, 2009

As some of you know, I’ve been secretly working on a one day SANS Log Management class for quite some time now. A few trials were conducted and most-if-not-all-all guinea pigs survived their encounter with the log :-)

It now seems increasing likely that this class will be first launched at SANS CDI 2009 in DC this December.

Description: This first-ever dedicated log management class for IT and security managers will cover system, network, and security logs and their management at an organization. We will start with the basics, like making sure that logs exist, and then go on to touch upon everything from managing log storage, to analysis techniques, to log forensics and regulatory issues related to logging.

In the beginning, we will cover various log types and provide configuration guidance, describe a phased approach to implementing a company-wide log management program, and go into specific tasks that IT and security managers need to be focusing on a daily, weekly, and monthly basis in regards to log monitoring.

A unique and comprehensive section that covers the hot topic of using logs for regulatory compliance, such as PCI DSS, will also be presented. Everybody knows that logs are essential for resolving compliance challenges; this class will teach you what you need to concentrate on and how to make your log management compliance-friendly.

The class will also touch upon various uses of logs for incident response, forensics, and operational monitoring. Common logging mistakes, learned from many years of working with logs, will also be explained.

Logs and log analysis have long been one of the most challenging areas of security; they are also closely tied to proper system and network administration practices. With regulatory compliance added on top with specific requirements on log collection, retention, and analysis (such as those found in PCI DSS), there has never been a better time to FINALLY get your logs under control. This class is the first-ever dedicated class on getting your log management project right. If you know that "you need to have those logs handled!", sign up and learn exactly how to do that. Many years of experience with logs went into this class and so you, an attendee, have a chance to avoid the most damaging mistakes and learn from many years of the author's experience with logging, log management, log tools, and the use of logs for various purposes.

“one of the documents that flew off to Minsk from a programmer’s machine was titled“POS Store Systems Technical Specifications TLOG Encryption and Financial Flows.” […] The hackers also stole or accessed files containing point-of-sale source code and executables, as well as additional proprietary documentation detailing the company’s transaction processing network.”

On PCI role:

“Wal-Mart says it received a number of [PCI DSS compliance validation] deadline extensions […] … became certified as PCI-compliant in August 2006 by VeriSign. After it discovered the breach in November 2006 …”

So, let’s analyze this a bit: what creates such tidal wave of PCI security marketing stupidity is a mindset of some vendors. They keep thinking “how to sell our shit using PCI?” and not “how to help organizations with PCI challenges?” This is what drives people to buy encryption instead of not storing the data, to deploy IDS sensors with alerts going to /dev/null, to scan web sites and never fix them, etc.

It is not uncommon for a security vendor to review a report that says that “only 6% of companies under PCI DSS use a technology X mentioned in the standard” (and that said vendor happens to produce) and then think “Wow, those merchants are stupid! They really should buy out shit NOW!” A quick question to merchants reading this: do you guys like it? :-)

The answer is obviously “NO!” You probably want said vendor to actually understand your problems with PCI DSS and then offer, well, SOLUTIONS! It is very hard for some vendor to shift to that helpful mode if they keep obsessing about the following: “Problems? What do you mean “what problems we solve?” – out bottom-line is our problem! ‘PCI-says-YOU-MUST-BUY!’” :-(

Yes, PCI DSS does mandate the use of many security technologies and it is prudent to mention that fact, whether you are vendor looking to help others or an end user looking to gain management support. Admittedly, I’ve long called PCI our sledgehammer of both awareness and budget for information security. But you can build a house with a hammer or .. you know how this metaphor goes :-) PCI DSS has a lot of energy to motivate people to improve security, please help them do just that!

But what if a merchant’s only perceived challenge is to “make QSA go away and take his PCI thing with it?” Obviously, the other side of the coin is merchants buying something (like a Dell box with the the label “FIREWALL” taped on [source here]) just to fake validation. This is where you as a vendor must evangelize! As Guy would explain, “evangelism” is not the same as “shouting the loudest” or “lying the vilest,” it is educating and then eventually converting the customer base to your way of thinking, which also happen to be the most useful one for them as well…

Finally, if you did get here after googling for “pci-dss market analysis,” please keep in mind:

Payment card security standard is called “PCI DSS”, not “PCI-DSS.”

There is no such thing as “PCI market” so there is nothing to “analyze”; PCI is not for sale :-)

Thursday, October 08, 2009

In any case, this post was inspired by a weird conversation I had with a particular QSA, who shall remain nameless. Right in the middle of the discussion, he uttered the usual “compliance does not equal security.” I nodded and made some incomprehensible agreement sounds.

And then he tossed a bomb: “And, as you know, security does not equal compliance.”

I was like: “… ah … eh … mmmm … really?… mmmm … I guess so”

But seriously?

Blabbing “compliance does not equal security” is a secret rite of passage into the League of High Priests of the Arcane Art of Security today. Still, it is often quietly assumed that a well-managed, mature security program, backed up by astute technology purchases and their solid implementation will render compliance “easy” or at least “easier.” One of my colleagues also calls it “compliance as a byproduct.” So, I was shocked to find out that not everyone agrees…

Let’s explore what the deal is.

First, we all know that “focus on compliance, ignore security” is a recipe for EPIC FAIL, usually of both. This is what I called “compliance first” thinking and it is indeed scary. For those who like FUD, you end up BOTH “0wned” and fined + embarrassed in the media [if you are big], on top of it.

Second, let’s assume for simplicity that you completely ignore regulatory requirements (not sure why anybody would want to do that though …) and just focus on your best understanding on what you need to do for protecting data, infrastructure, “keeping the wheels on,“ etc. If you execute perfectly on that and then go read, say, PCI DSS, you will find out that you likely have a gap. How big of a gap? I don’t now, but it is likely that closing the gap will not make you less secure. For some regulations, you can also argue that your measures protect the data better than the prescribed ones (see Branden’s “The Art of Compensating Control” for more on that). So, in the worst case, you’d waste a bit of time/money … or so the thinking goes.

Are we missing something?

Yes, we are! The third, most interesting case is: you read the regulations, you consider what you need for protecting data and then implement what you think is an intelligent combination of both. Then the assessor (PCI DSS)/auditor(other) comes to validate your compliance. And he finds a particular control that you implemented to protect the data (e.g. an appliance has no administrative access from the local network; it is managed by the vendor only) and says that this control is not compliant (e.g. requirement 8.5.6 says that you can “Enable accounts used by vendors for remote maintenance only during the time period needed”). Now, an obvious first reaction is to dismiss such assessor as an idiot, who just doesn’t “get security.” However, the situation is real: security thinking (even if stale at times…) evolves faster than any regulations. But I’d really like to hear about cases where security-inspired compliance requirements forced somebody to reduce security that was the motivation for those very requirements? I bet these would be extremely rare – and if you subtract those that are explained by the assessor/auditor inexperience, the number would be very, very close to zero!

What I suggest is that the whole industry debate about “security vs compliance” should be switched from a mildly idiotic “equals” (well, they are called different names, maybe it means they are not really equal") to a saner “helps.”

“Risk-less security” from SecurityBalance has gems like “discussions about decision making (risk based vs. others) is the only thing interesting for me today on the security field” and “if PCI DSS is working, it’s certainly not because of those approaching it with a checklist based mind. It is because it is a quite good prescriptive standard.” Overall, this post exudes awesomeness.

“Prepare Ye List Of PCI Grievances” is a pre-meeting post by Dave Taylor, worth a read. It has gems like : “Why is it that [issuing] banks say they don’t think they have to comply with PCI, when their debit cards are co-branded and carry the same risks of theft and even more risks to consumers.” Dave also has the second meeting post about the famous PwC reports: “The Two Scenarios Coming From The PWC PCI Report” (quote: “there were no reported fistfights” at the meeting), read the comments too.

NetSPI folks add “Maturity and Convergence at the PCI-SSC Community Meeting” which mentions risk: “the focus on moving to more of a risk-based approach to implementing the PCI DSS. The council was only lukewarm to this idea […] Managing a risk-based approach may be something that is incorporated over time, but it adds too much subjectivity [A.C. – yes!] to the current PCI program.”

I am not at Qualys anymore and looking for the next big security idea to work on! Meanwhile, I might be available for fun consulting projects related to PCI, log management or other fun security and compliance things.

Thursday, October 01, 2009

As we all know, blogs are a bit "stateless" and a lot of good content gets lost since many people, sadly, only pay attention to what they see today. These monthly round-ups is my attempt to remind people of useful content from the past month! If you are “too busy to read the blogs,” at least read these.

“Bad Humor: Funny Security Roles” is one of those posts inspired by beer :-) Just read it, then maybe consider a career of “Experienced cloud security veteran” or “Executive security reverse engineer”.

I am not at Qualys anymore and looking for the next big security idea to work on! Meanwhile, I might be available for fun consulting projects related to PCI DSS, log management, SIEM or other fun security things.

About Me

He is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior", "PCI Compliance", "Logging and Log Management" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management, honeypots, etc . His blog securitywarrior.org was one of the most popular in the industry.

In addition, Anton teaches classes (including his own SANS class on log management) and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He worked on emerging security standards and served on the advisory boards of several security start-ups.

Before joining Gartner in 2011, Anton was running his own security consulting practice www.securitywarriorconsulting.com, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.